draft-ietf-babel-information-model-11.txt   draft-ietf-babel-information-model-12.txt 
Babel routing protocol B. Stark Babel routing protocol B.H. Stark
Internet-Draft AT&T Internet-Draft AT&T
Intended status: Informational M. Jethanandani Intended status: Informational M.J. Jethanandani
Expires: February 15, 2021 VMware Expires: 30 July 2021 VMware
August 14, 2020 26 January 2021
Babel Information Model Babel Information Model
draft-ietf-babel-information-model-11 draft-ietf-babel-information-model-12
Abstract Abstract
This Babel Information Model provides structured data elements for a This Babel Information Model provides structured data elements for a
Babel implementation reporting its current state and may allow Babel implementation reporting its current state and may allow
limited configuration of some such data elements. This information limited configuration of some such data elements. This information
model can be used as a basis for creating data models under various model can be used as a basis for creating data models under various
data modeling regimes. data modeling regimes. This information model only includes
parameters and parameter values useful for managing Babel over IPv6.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 15, 2021. This Internet-Draft will expire on 30 July 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents (https://trustee.ietf.org/
(https://trustee.ietf.org/license-info) in effect on the date of license-info) in effect on the date of publication of this document.
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document. Code Components
to this document. Code Components extracted from this document must extracted from this document must include Simplified BSD License text
include Simplified BSD License text as described in Section 4.e of as described in Section 4.e of the Trust Legal Provisions and are
the Trust Legal Provisions and are provided without warranty as provided without warranty as described in the Simplified BSD License.
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Notation . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The Information Model . . . . . . . . . . . . . . . . . . . . 7 3. The Information Model . . . . . . . . . . . . . . . . . . . . 7
3.1. Definition of babel-information-obj . . . . . . . . . . . 7 3.1. Definition of babel-information-obj . . . . . . . . . . . 7
3.2. Definition of babel-constants-obj . . . . . . . . . . . . 9 3.2. Definition of babel-constants-obj . . . . . . . . . . . . 9
3.3. Definition of babel-interface-obj . . . . . . . . . . . . 9 3.3. Definition of babel-interface-obj . . . . . . . . . . . . 9
3.4. Definition of babel-if-stats-obj . . . . . . . . . . . . 12 3.4. Definition of babel-if-stats-obj . . . . . . . . . . . . 12
3.5. Definition of babel-neighbor-obj . . . . . . . . . . . . 12 3.5. Definition of babel-neighbor-obj . . . . . . . . . . . . 13
3.6. Definition of babel-route-obj . . . . . . . . . . . . . . 14 3.6. Definition of babel-route-obj . . . . . . . . . . . . . . 14
3.7. Definition of babel-mac-key-set-obj . . . . . . . . . . . 15 3.7. Definition of babel-mac-key-set-obj . . . . . . . . . . . 16
3.8. Definition of babel-mac-key-obj . . . . . . . . . . . . . 16 3.8. Definition of babel-mac-key-obj . . . . . . . . . . . . . 16
3.9. Definition of babel-dtls-cert-set-obj . . . . . . . . . . 17 3.9. Definition of babel-dtls-cert-set-obj . . . . . . . . . . 18
3.10. Definition of babel-dtls-cert-obj . . . . . . . . . . . . 17 3.10. Definition of babel-dtls-cert-obj . . . . . . . . . . . . 18
4. Extending the Information Model . . . . . . . . . . . . . . . 18 4. Extending the Information Model . . . . . . . . . . . . . . . 19
5. Security Considerations . . . . . . . . . . . . . . . . . . . 18 5. Security Considerations . . . . . . . . . . . . . . . . . . . 19
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 20
8.1. Normative References . . . . . . . . . . . . . . . . . . 19 8.1. Normative References . . . . . . . . . . . . . . . . . . 20
8.2. Informative References . . . . . . . . . . . . . . . . . 20 8.2. Informative References . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Babel is a loop-avoiding distance-vector routing protocol defined in Babel is a loop-avoiding distance-vector routing protocol defined in
[I-D.ietf-babel-rfc6126bis]. [I-D.ietf-babel-hmac] defines a [I-D.ietf-babel-rfc6126bis]. [I-D.ietf-babel-hmac] defines a
security mechanism that allows Babel packets to be cryptographically security mechanism that allows Babel packets to be cryptographically
authenticated, and [I-D.ietf-babel-dtls] defines a security mechanism authenticated, and [I-D.ietf-babel-dtls] defines a security mechanism
that allows Babel packets to be encrypted. This document describes that allows Babel packets to be both authenticated and encrypted.
an information model for Babel (including implementations using one This document describes an information model for Babel (including
or both of these security mechanisms) that can be used to create implementations using one or both of these security mechanisms) that
management protocol data models (such as a NETCONF [RFC6241] YANG can be used to create management protocol data models (such as a
[RFC7950] data model. NETCONF [RFC6241] YANG [RFC7950] data model).
Due to the simplicity of the Babel protocol, most of the information Due to the simplicity of the Babel protocol, most of the information
model is focused on reporting Babel protocol operational state, and model is focused on reporting Babel protocol operational state, and
very little of that is considered mandatory to implement for an very little of that is considered mandatory to implement for an
implementation claiming compliance with this information model. Some implementation claiming compliance with this information model. Some
parameters may be configurable. However, it is up to the Babel parameters may be configurable. However, it is up to the Babel
implementation whether to allow any of these to be configured within implementation whether to allow any of these to be configured within
its implementation. Where the implementation does not allow its implementation. Where the implementation does not allow
configuration of these parameters, it MAY still choose to expose them configuration of these parameters, it MAY still choose to expose them
as read-only. as read-only.
The Information Model is presented using a hierarchical structure. The Information Model is presented using a hierarchical structure.
This does not preclude a data model based on this Information Model This does not preclude a data model based on this Information Model
from using a referential or other structure. from using a referential or other structure.
This information model only includes parameters and parameter values
useful for managing Babel over IPv6. This model has no parameters or
values specific to operating Babel over IPv4, even though
[I-D.ietf-babel-rfc6126bis] does define a multicast group for sending
and listening to multicast announcements on IPv4. There is less
likelihood of breakage due to inconsistent configuration and
increased implementation simplicity if Babel is operated always and
only over IPv6. Running Babel over IPv6 requires IPv6 at the link
layer and does not need advertised prefixes, router advertisements or
DHCPv6 to be present in the network. Link-local IPv6 is widely
supported among devices where Babel is expected to be used. Note
that Babel over IPv6 can be used for configuration of both IPv4 and
IPv6 routes.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119] and updated "OPTIONAL" in this document are to be interpreted as described in
by [RFC8174]. BCP014 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Notation 1.2. Notation
This document uses a programming language-like notation to define the This document uses a programming language-like notation to define the
properties of the objects of the information model. An optional properties of the objects of the information model. An optional
property is enclosed by square brackets, [ ], and a list property is property is enclosed by square brackets, [ ], and a list property is
indicated by two numbers in angle brackets, <m..n>, where m indicates indicated by two numbers in angle brackets, <m..n>, where m indicates
the minimal number of list elements, and n indicates the maximum the minimal number of list elements, and n indicates the maximum
number of list elements. The symbol * for n means there are no number of list elements. The symbol * for n means there are no
defined limits on the number of list elements. Each parameter and defined limits on the number of list elements. Each parameter and
skipping to change at page 3, line 40 skipping to change at page 4, line 14
deleted. If an implementation is allowed to choose to implement a deleted. If an implementation is allowed to choose to implement a
"rw" parameter as read-only, this is noted in the parameter "rw" parameter as read-only, this is noted in the parameter
description. description.
The object definitions use base types that are defined as follows: The object definitions use base types that are defined as follows:
binary A binary string (sequence of octets). binary A binary string (sequence of octets).
boolean A type representing a Boolean (true or false) value. boolean A type representing a Boolean (true or false) value.
counter A non-negative integer that monotonically increases.
Counters may have discontinuities and they are not
expected to persist across restarts.
datetime A type representing a date and time using the Gregorian datetime A type representing a date and time using the Gregorian
calendar. The datetime format MUST conform to RFC 3339 calendar. The datetime format MUST conform to RFC 3339
[RFC3339]. [RFC3339] Section 5.6.
ip-address A type representing an IP address. This type supports ip-address A type representing an IP address. This type supports
both IPv4 and IPv6 addresses. both IPv4 and IPv6 addresses.
operation A type representing a remote procedure call or other operation A type representing a remote procedure call or other
action that can be used to manipulate data elements or action that can be used to manipulate data elements or
system behaviors. system behaviors.
reference A type representing a reference to another information or reference A type representing a reference to another information or
data model element or to some other device resource. data model element or to some other device resource.
skipping to change at page 5, line 38 skipping to change at page 6, line 7
| +-- babel-route-received-metric | +-- babel-route-received-metric
| +-- babel-route-calculated-metric | +-- babel-route-calculated-metric
| +-- babel-route-seqno | +-- babel-route-seqno
| +-- babel-route-next-hop | +-- babel-route-next-hop
| +-- babel-route-feasible | +-- babel-route-feasible
| +-- babel-route-selected | +-- babel-route-selected
+-- babel-mac-key-sets +-- babel-mac-key-sets
| +-- babel-mac-default-apply | +-- babel-mac-default-apply
| +-- babel-mac-keys | +-- babel-mac-keys
| +-- babel-mac-key-name | +-- babel-mac-key-name
| +-- babel-mac-key-use-sign | +-- babel-mac-key-use-send
| +-- babel-mac-key-use-verify | +-- babel-mac-key-use-verify
| +-- babel-mac-key-value | +-- babel-mac-key-value
| +-- babel-mac-key-algorithm | +-- babel-mac-key-algorithm
| +-- babel-mac-key-test | +-- babel-mac-key-test
+-- babel-dtls-cert-sets +-- babel-dtls-cert-sets
+-- babel-dtls-default-apply +-- babel-dtls-default-apply
+-- babel-dtls-certs +-- babel-dtls-certs
+-- babel-cert-name +-- babel-cert-name
+-- babel-cert-value +-- babel-cert-value
+-- babel-cert-type +-- babel-cert-type
+-- babel-cert-private-key +-- babel-cert-private-key
+-- babel-cert-test
Most parameters are read-only. Following is a descriptive list of Most parameters are read-only. Following is a descriptive list of
the parameters that are not required to be read-only: the parameters that are not required to be read-only:
o enable/disable Babel * enable/disable Babel
o create/delete Babel MAC Key sets
o create/delete Babel DTLS Certificate sets
o enable/disable statistics collection * create/delete Babel MAC Key sets
o Constant: UDP port * create/delete Babel Certificate sets
o Constant: IPv6 multicast group * enable/disable statistics collection
o Interface: Metric algorithm * Constant: UDP port
o Interface: Split horizon * Constant: IPv6 multicast group
o Interface: enable/disable Babel on this interface * Interface: enable/disable Babel on this interface
o Interface: sets of MAC keys * Interface: Metric algorithm
o Interface: MAC algorithm * Interface: Split horizon
o Interface: verify received MAC packets * Interface: sets of MAC keys
o Interface: set of DTLS certificates * Interface: verify received MAC packets
o Interface: use cached info extensions * Interface: set of certificates for use with DTLS
o Interface: preferred order of certificate types * Interface: use cached info extensions
o Interface: enable/disable packet log * Interface: preferred order of certificate types
o MAC-keys: create/delete entries * Interface: enable/disable packet log
* MAC-keys: create/delete entries
o MAC-keys: key used to sign packets * MAC-keys: key used for sent packets
o MAC-keys: key used to verify packets * MAC-keys: key used to verify packets
o DTLS-certs: create/delete entries * DTLS-certs: create/delete entries
The following parameters are required to return no value when read: The following parameters are required to return no value when read:
o MAC key values * MAC key values
* DTLS private keys
o DTLS certificate values
Note that this overview is intended simply to be informative and is Note that this overview is intended simply to be informative and is
not normative. If there is any discrepancy between this overview and not normative. If there is any discrepancy between this overview and
the detailed information model definitions in subsequent sections, the detailed information model definitions in subsequent sections,
the error is in this overview. the error is in this overview.
3. The Information Model 3. The Information Model
3.1. Definition of babel-information-obj 3.1. Definition of babel-information-obj
object { object {
skipping to change at page 8, line 16 skipping to change at page 8, line 28
updates for routes originated by this node. This is a 16-bit updates for routes originated by this node. This is a 16-bit
unsigned integer. unsigned integer.
babel-metric-comp-algorithms: List of supported cost computation babel-metric-comp-algorithms: List of supported cost computation
algorithms. Possible values include "2-out-of-3", and "ETX". "2- algorithms. Possible values include "2-out-of-3", and "ETX". "2-
out-of-3" is described in [I-D.ietf-babel-rfc6126bis], section out-of-3" is described in [I-D.ietf-babel-rfc6126bis], section
A.2.1. "ETX" is described in [I-D.ietf-babel-rfc6126bis], section A.2.1. "ETX" is described in [I-D.ietf-babel-rfc6126bis], section
A.2.2. A.2.2.
babel-security-supported: List of supported security mechanisms. babel-security-supported: List of supported security mechanisms.
Possible values include "MAC" and "DTLS". Possible values include "MAC" to indicate support of
[I-D.ietf-babel-hmac] and "DTLS" to indicate support of
[I-D.ietf-babel-dtls].
babel-mac-algorithms: List of supported MAC computation algorithms. babel-mac-algorithms: List of supported MAC computation algorithms.
Possible values include "HMAC-SHA256", "BLAKE2s". Possible values include "HMAC-SHA256", "BLAKE2s-128" to indicate
support for algorithms indicated in [I-D.ietf-babel-hmac].
babel-dtls-cert-types: List of supported DTLS certificate types. babel-dtls-cert-types: List of supported DTLS certificate types.
Possible values include "X.509" and "RawPublicKey". Possible values include "X.509" and "RawPublicKey" to indicate
support for types indicated in [I-D.ietf-babel-dtls].
babel-stats-enable: Indicates whether statistics collection is babel-stats-enable: Indicates whether statistics collection is
enabled (true) or disabled (false) on all interfaces. When enabled (true) or disabled (false) on all interfaces. When
enabled, existing statistics values are not cleared and will be enabled, existing statistics values are not cleared and will be
incremented as new packets are counted. incremented as new packets are counted.
babel-stats-reset: An operation that resets all babel-if-stats babel-stats-reset: An operation that resets all babel-if-stats
parameters to zero. This operation has no input or output parameters to zero. This operation has no input or output
parameters. parameters.
skipping to change at page 11, line 5 skipping to change at page 11, line 32
babel-mac-enable: Indicates whether the MAC security mechanism is babel-mac-enable: Indicates whether the MAC security mechanism is
enabled (true) or disabled (false). An implementation MAY choose enabled (true) or disabled (false). An implementation MAY choose
to expose this parameter as read-only ("ro"). to expose this parameter as read-only ("ro").
babel-if-mac-keys-sets: List of references to the babel-mac entries babel-if-mac-keys-sets: List of references to the babel-mac entries
that apply to this interface. When an interface instance is that apply to this interface. When an interface instance is
created, all babel-mac-key-sets instances with babel-mac-default- created, all babel-mac-key-sets instances with babel-mac-default-
apply "true" will be included in this list. An implementation MAY apply "true" will be included in this list. An implementation MAY
choose to expose this parameter as read-only ("ro"). choose to expose this parameter as read-only ("ro").
babel-mac-verify A Boolean flag indicating whether MAC hashes in babel-mac-verify A Boolean flag indicating whether MACs in incoming
incoming Babel packets are required to be present and are Babel packets are required to be present and are verified. If
verified. If this parameter is "true", incoming packets are this parameter is "true", incoming packets are required to have a
required to have a valid MAC hash. An implementation MAY choose valid MAC. An implementation MAY choose to expose this parameter
to expose this parameter as read-only ("ro"). as read-only ("ro").
babel-dtls-enable: Indicates whether the DTLS security mechanism is babel-dtls-enable: Indicates whether the DTLS security mechanism is
enabled (true) or disabled (false). An implementation MAY choose enabled (true) or disabled (false). An implementation MAY choose
to expose this parameter as read-only ("ro"). to expose this parameter as read-only ("ro").
babel-if-dtls-cert-sets: List of references to the babel-dtls-cert- babel-if-dtls-cert-sets: List of references to the babel-dtls-cert-
sets entries that apply to this interface. When an interface sets entries that apply to this interface. When an interface
instance is created, all babel-dtls-cert-sets instances with instance is created, all babel-dtls-cert-sets instances with
babel-dtls-default-apply "true" will be included in this list. An babel-dtls-default-apply "true" will be included in this list. An
implementation MAY choose to expose this parameter as read-only implementation MAY choose to expose this parameter as read-only
("ro"). ("ro").
babel-dtls-cached-info: Indicates whether the cached_info extension babel-dtls-cached-info: Indicates whether the cached_info extension
is included in ClientHello and ServerHello packets. The extension (see [I-D.ietf-babel-dtls] Appendix A) is included in ClientHello
is included if the value is "true". An implementation MAY choose and ServerHello packets. The extension is included if the value
to expose this parameter as read-only ("ro"). is "true". An implementation MAY choose to expose this parameter
as read-only ("ro").
babel-dtls-cert-prefer: List of supported certificate types, in babel-dtls-cert-prefer: List of supported certificate types, in
order of preference. The values MUST be among those listed in the order of preference. The values MUST be among those listed in the
babel-dtls-cert-types parameter. This list is used to populate babel-dtls-cert-types parameter. This list is used to populate
the server_certificate_type extension in a Client Hello. Values the server_certificate_type extension (see [I-D.ietf-babel-dtls]
that are present in at least one instance in the babel-dtls-certs Appendix A) in a Client Hello. Values that are present in at
object of a referenced babel-dtls instance and that have a non- least one instance in the babel-dtls-certs object of a referenced
empty babel-cert-private-key will be used to populate the babel-dtls instance and that have a non-empty babel-cert-private-
client_certificate_type extension in a Client Hello. key will be used to populate the client_certificate_type extension
in a Client Hello.
babel-packet-log-enable: Indicates whether packet logging is enabled babel-packet-log-enable: Indicates whether packet logging is enabled
(true) or disabled (false) on this interface. (true) or disabled (false) on this interface.
babel-packet-log: A reference or url link to a file that contains a babel-packet-log: A reference or url link to a file that contains a
timestamped log of packets received and sent on babel-udp-port on timestamped log of packets received and sent on babel-udp-port on
this interface. The [libpcap] file format with .pcap file this interface. The [libpcap] file format with .pcap file
extension SHOULD be supported for packet log files. Logging is extension SHOULD be supported for packet log files. Logging is
enabled / disabled by babel-packet-log-enable. Implementations enabled / disabled by babel-packet-log-enable. Implementations
will need to carefully manage and limit memory used by packet will need to carefully manage and limit memory used by packet
skipping to change at page 14, line 22 skipping to change at page 15, line 4
link layer. The rxcost is sent to a neighbor in each IHU. See link layer. The rxcost is sent to a neighbor in each IHU. See
[I-D.ietf-babel-rfc6126bis], section 3.4.3. This is a 16-bit [I-D.ietf-babel-rfc6126bis], section 3.4.3. This is a 16-bit
unsigned integer. unsigned integer.
babel-cost: The link cost, as computed from the values maintained in babel-cost: The link cost, as computed from the values maintained in
the neighbor table: the statistics kept in the neighbor table the neighbor table: the statistics kept in the neighbor table
about the reception of Hellos, and the txcost computed from about the reception of Hellos, and the txcost computed from
received IHU packets. This is a 16-bit unsigned integer. received IHU packets. This is a 16-bit unsigned integer.
3.6. Definition of babel-route-obj 3.6. Definition of babel-route-obj
object { object {
ip-address ro babel-route-prefix; ip-address ro babel-route-prefix;
uint ro babel-route-prefix-length; uint ro babel-route-prefix-length;
binary ro babel-route-router-id; binary ro babel-route-router-id;
string ro babel-route-neighbor; reference ro babel-route-neighbor;
uint ro babel-route-received-metric; uint ro babel-route-received-metric;
uint ro babel-route-calculated-metric; uint ro babel-route-calculated-metric;
uint ro babel-route-seqno; uint ro babel-route-seqno;
ip-address ro babel-route-next-hop; ip-address ro babel-route-next-hop;
boolean ro babel-route-feasible; boolean ro babel-route-feasible;
boolean ro babel-route-selected; boolean ro babel-route-selected;
} babel-route-obj; } babel-route-obj;
babel-route-prefix: Prefix (expressed in IP address format) for babel-route-prefix: Prefix (expressed in IP address format) for
which this route is advertised. which this route is advertised.
skipping to change at page 15, line 43 skipping to change at page 16, line 35
babel-route-selected: A Boolean flag indicating whether this route babel-route-selected: A Boolean flag indicating whether this route
is selected (i.e., whether it is currently being used for is selected (i.e., whether it is currently being used for
forwarding and is being advertised). forwarding and is being advertised).
3.7. Definition of babel-mac-key-set-obj 3.7. Definition of babel-mac-key-set-obj
object { object {
boolean rw babel-mac-default-apply; boolean rw babel-mac-default-apply;
babel-mac-key-obj rw babel-mac-keys<0..*>; babel-mac-key-obj rw babel-mac-keys<0..*>;
} babel-mac-obj; } babel-mac-key-set-obj;
babel-mac-default-apply: A Boolean flag indicating whether this babel-mac-default-apply: A Boolean flag indicating whether this
babel-mac instance is applied to all new babel-interface object instance is applied to all new babel-interface instances,
instances, by default. If "true", this instance is applied to new by default. If "true", this instance is applied to new babel-
babel-interfaces instances at the time they are created, by interfaces instances at the time they are created, by including it
including it in the babel-interface-mac-keys list. If "false", in the babel-if-mac-key-sets list. If "false", this instance is
this instance is not applied to new babel-interfaces instances not applied to new babel-interfaces instances when they are
when they are created. An implementation MAY choose to expose created. An implementation MAY choose to expose this parameter as
this parameter as read-only ("ro"). read-only ("ro").
babel-mac-keys: A set of babel-mac-key-obj objects. babel-mac-keys: A set of babel-mac-key-obj objects.
3.8. Definition of babel-mac-key-obj 3.8. Definition of babel-mac-key-obj
object { object {
string rw babel-mac-key-name; string rw babel-mac-key-name;
boolean rw babel-mac-key-use-sign; boolean rw babel-mac-key-use-send;
boolean rw babel-mac-key-use-verify; boolean rw babel-mac-key-use-verify;
binary -- babel-mac-key-value; binary -- babel-mac-key-value;
string rw babel-mac-key-algorithm; string rw babel-mac-key-algorithm;
[operation babel-mac-key-test;] [operation babel-mac-key-test;]
} babel-mac-key-obj; } babel-mac-key-obj;
babel-mac-key-name: A unique name for this MAC key that can be used babel-mac-key-name: A unique name for this MAC key that can be used
to identify the key in this object instance, since the key value to identify the key in this object instance, since the key value
is not allowed to be read. This value MUST NOT be empty and can is not allowed to be read. This value MUST NOT be empty and can
only be provided when this instance is created (i.e., it is not only be provided when this instance is created (i.e., it is not
subsequently writable). The value MAY be auto-generated if not subsequently writable). The value MAY be auto-generated if not
explicitly supplied when the instance is created. explicitly supplied when the instance is created.
babel-mac-key-use-sign: Indicates whether this key value is used to babel-mac-key-use-send: Indicates whether this key value is used to
sign sent Babel packets. Sent packets are signed using this key compute a MAC and include that MAC in the sent Babel packet. A
if the value is "true". If the value is "false", this key is not MAC for sent packets is computed using this key if the value is
used to sign sent Babel packets. An implementation MAY choose to "true". If the value is "false", this key is not used to compute
expose this parameter as read-only ("ro"). a MAC to include in sent Babel packets. An implementation MAY
choose to expose this parameter as read-only ("ro").
babel-mac-key-use-verify: Indicates whether this key value is used babel-mac-key-use-verify: Indicates whether this key value is used
to verify incoming Babel packets. This key is used to verify to verify incoming Babel packets. This key is used to verify
incoming packets if the value is "true". If the value is "false", incoming packets if the value is "true". If the value is "false",
no MAC is computed from this key for comparing with the MAC in an no MAC is computed from this key for comparing with the MAC in an
incoming packet. An implementation MAY choose to expose this incoming packet. An implementation MAY choose to expose this
parameter as read-only ("ro"). parameter as read-only ("ro").
babel-mac-key-value: The value of the MAC key. An implementation babel-mac-key-value: The value of the MAC key. An implementation
MUST NOT allow this parameter to be read. This can be done by MUST NOT allow this parameter to be read. This can be done by
always providing an empty string when read, or through always providing an empty string when read, or through
permissions, or other means. This value MUST be provided when permissions, or other means. This value MUST be provided when
this instance is created, and is not subsequently writable. This this instance is created, and is not subsequently writable. This
value is of a length suitable for the associated babel-mac-key- value is of a length suitable for the associated babel-mac-key-
algorithm. If the algorithm is based on the HMAC construction algorithm. If the algorithm is based on the HMAC construction
[RFC2104], the length MUST be between 0 and the block size of the [RFC2104], the length MUST be between 0 and the block size of the
underlying hash inclusive (where "HMAC-SHA256" block size is 64 underlying hash inclusive (where "HMAC-SHA256" block size is 64
bytes as described in [RFC4868]). If the algorithm is "BLAKE2s", bytes as described in [RFC4868]). If the algorithm is "BLAKE2s-
the length MUST be between 0 and 32 bytes inclusive, as described 128", the length MUST be between 0 and 32 bytes inclusive, as
in [RFC7693]. described in [RFC7693].
babel-mac-key-algorithm The name of the MAC algorithm used with this babel-mac-key-algorithm The name of the MAC algorithm used with this
key. The value MUST be the same as one of the enumerations listed key. The value MUST be the same as one of the enumerations listed
in the babel-mac-algorithms parameter. An implementation MAY in the babel-mac-algorithms parameter. An implementation MAY
choose to expose this parameter as read-only ("ro"). choose to expose this parameter as read-only ("ro").
babel-mac-key-test: An operation that allows the MAC key and hash babel-mac-key-test: An operation that allows the MAC key and MAC
algorithm to be tested to see if they produce an expected outcome. algorithm to be tested to see if they produce an expected outcome.
Input to this operation is a binary string. The implementation is Input to this operation are a binary string and a calculated MAC
expected to create a hash of this string using the babel-mac-key- (also in the format of a binary string) for the binary string.
value and the babel-mac-key-algorithm. The output of this The implementation is expected to create a MAC over the binary
operation is the resulting hash, as a binary string. string using the babel-mac-key-value and the babel-mac-key-
algorithm. The output of this operation is a Boolean indication
that the calculated MAC matched the input MAC (true) or the MACs
did not match (false).
3.9. Definition of babel-dtls-cert-set-obj 3.9. Definition of babel-dtls-cert-set-obj
object { object {
boolean rw babel-dtls-default-apply; boolean rw babel-dtls-default-apply;
babel-dtls-cert-obj rw babel-dtls-certs<0..*>; babel-dtls-cert-obj rw babel-dtls-certs<0..*>;
} babel-dtls-cert-set-obj; } babel-dtls-cert-set-obj;
babel-dtls-default-apply: A Boolean flag indicating whether this babel-dtls-default-apply: A Boolean flag indicating whether this
babel-dtls instance is applied to all new babel-interface object instance is applied to all new babel-interface instances,
instances, by default. If "true", this instance is applied to new by default. If "true", this instance is applied to new babel-
babel-interfaces instances at the time they are created, by interfaces instances at the time they are created, by including it
including it in the babel-interface-dtls-certs list. If "false", in the babel-interface-dtls-certs list. If "false", this instance
this instance is not applied to new babel-interfaces instances is not applied to new babel-interfaces instances when they are
when they are created. An implementation MAY choose to expose created. An implementation MAY choose to expose this parameter as
this parameter as read-only ("ro"). read-only ("ro").
babel-dtls-certs: A set of babel-dtls-cert-obj objects. This babel-dtls-certs: A set of babel-dtls-cert-obj objects. This
contains both certificates for this implementation to present for contains both certificates for this implementation to present for
authentication, and to accept from others. Certificates with a authentication, and to accept from others. Certificates with a
non-empty babel-cert-private-key can be presented by this non-empty babel-cert-private-key can be presented by this
implementation for authentication. implementation for authentication.
3.10. Definition of babel-dtls-cert-obj 3.10. Definition of babel-dtls-cert-obj
object { object {
string rw babel-cert-name; string rw babel-cert-name;
string rw babel-cert-value; string rw babel-cert-value;
string rw babel-cert-type; string rw babel-cert-type;
binary -- babel-cert-private-key; binary -- babel-cert-private-key;
[operation babel-cert-test;]
} babel-dtls-cert-obj; } babel-dtls-cert-obj;
babel-cert-name: A unique name for this DTLS certificate that can be babel-cert-name: A unique name for this certificate that can be used
used to identify the certificate in this object instance, since to identify the certificate in this object instance, since the
the value is too long to be useful for identification. This value value is too long to be useful for identification. This value
MUST NOT be empty and can only be provided when this instance is MUST NOT be empty and can only be provided when this instance is
created (i.e., it is not subsequently writable). The value MAY be created (i.e., it is not subsequently writable). The value MAY be
auto-generated if not explicitly supplied when the instance is auto-generated if not explicitly supplied when the instance is
created. created.
babel-cert-value: The DTLS certificate in PEM format [RFC7468]. babel-cert-value: The certificate in PEM format [RFC7468]. This
This value MUST be provided when this instance is created, and is value MUST be provided when this instance is created, and is not
not subsequently writable. subsequently writable.
babel-cert-type: The name of the certificate type of this object babel-cert-type: The name of the certificate type of this object
instance. The value MUST be the same as one of the enumerations instance. The value MUST be the same as one of the enumerations
listed in the babel-dtls-cert-types parameter. This value can listed in the babel-dtls-cert-types parameter. This value can
only be provided when this instance is created, and is not only be provided when this instance is created, and is not
subsequently writable. subsequently writable.
babel-cert-private-key: The value of the private key. If this is babel-cert-private-key: The value of the private key. If this is
non-empty, this certificate can be used by this implementation to non-empty, this certificate can be used by this implementation to
provide a certificate during DTLS handshaking. An implementation provide a certificate during DTLS handshaking. An implementation
MUST NOT allow this parameter to be read. This can be done by MUST NOT allow this parameter to be read. This can be done by
always providing an empty string when read, or through always providing an empty string when read, or through
permissions, or other means. This value can only be provided when permissions, or other means. This value can only be provided when
this instance is created, and is not subsequently writable. this instance is created, and is not subsequently writable.
babel-cert-test: An operation that allows a hash of the provided
input string to be created using the certificate public key and
the SHA-256 hash algorithm. Input to this operation is a binary
string. The output of this operation is the resulting hash, as a
binary string.
4. Extending the Information Model 4. Extending the Information Model
Implementations MAY extend this information model with other Implementations MAY extend this information model with other
parameters or objects. For example, an implementation MAY choose to parameters or objects. For example, an implementation MAY choose to
expose Babel route filtering rules by adding a route filtering object expose Babel route filtering rules by adding a route filtering object
with parameters appropriate to how route filtering is done in that with parameters appropriate to how route filtering is done in that
implementation. The precise means used to extend the information implementation. The precise means used to extend the information
model would be specific to the data model the implementation uses to model would be specific to the data model the implementation uses to
expose this information. expose this information.
skipping to change at page 19, line 16 skipping to change at page 20, line 8
Misconfiguration (whether unintentional or malicious) can prevent Misconfiguration (whether unintentional or malicious) can prevent
reachability or cause poor network performance (increased latency, reachability or cause poor network performance (increased latency,
jitter, etc.). The information in this model discloses network jitter, etc.). The information in this model discloses network
topology, which can be used to mount subsequent attacks on traffic topology, which can be used to mount subsequent attacks on traffic
traversing the network. traversing the network.
This information model defines objects that can allow credentials This information model defines objects that can allow credentials
(for this device, for trusted devices, and for trusted certificate (for this device, for trusted devices, and for trusted certificate
authorities) to be added and deleted. Public keys may be exposed authorities) to be added and deleted. Public keys may be exposed
through this model. This model requires that private keys never be through this model. This model requires that private keys and MAC
exposed. The Babel security mechanisms that make use of these keys never be exposed. Certificates used by [I-D.ietf-babel-dtls]
credentials (e.g., [I-D.ietf-babel-dtls], [I-D.ietf-babel-hmac]) implementations use separate parameters to model the public parts
identify what credentials can be used with those mechanisms. (including the public key) and the private key.
MAC keys are allowed to be as short as zero-length. This is useful MAC keys are allowed to be as short as zero-length. This is useful
for testing. Network operators are advised to follow current best for testing. Network operators are RECOMMENDED to follow current
practices for key length and generation of keys related to the MAC best practices for key length and generation of keys related to the
algorithm associated with the key. Short (and zero-length) keys and MAC algorithm associated with the key. Short (and zero-length) keys
keys that make use of only alphanumeric characters are highly are highly susceptible to brute force attacks and therefore SHOULD
susceptible to brute force attacks. NOT be used. See the Security Considerations section of
[I-D.ietf-babel-hmac] for additional considerations related to MAC
keys.
This information model uses key sets and certification sets to
provide a means of grouping keys and certificates. This makes it
easy to use a different set per interface, the same set for one or
more interfaces, have a default set in case a new interface is
instantiated and to change keys and certificates as needed.
6. IANA Considerations 6. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
7. Acknowledgements 7. Acknowledgements
Juliusz Chroboczek, Toke Hoeiland-Joergensen, David Schinazi, Antonin Juliusz Chroboczek, Toke Hoeiland-Joergensen, David Schinazi, Antonin
Decimo, Acee Lindem, and Carsten Bormann have been very helpful in Decimo, Acee Lindem, and Carsten Bormann have been very helpful in
refining this information model. refining this information model.
The language in the Notation section was mostly taken from [RFC8193]. The language in the Notation section was mostly taken from [RFC8193].
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-babel-rfc6126bis]
Chroboczek, J. and D. Schinazi, "The Babel Routing
Protocol", draft-ietf-babel-rfc6126bis-19 (work in
progress), August 2020.
[libpcap] Wireshark, "Libpcap File Format", 2015,
<https://wiki.wireshark.org/Development/
LibpcapFileFormat>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX,
PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468,
April 2015, <https://www.rfc-editor.org/info/rfc7468>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References
[I-D.ietf-babel-dtls] [I-D.ietf-babel-dtls]
Decimo, A., Schinazi, D., and J. Chroboczek, "Babel Decimo, A., Schinazi, D., and J. Chroboczek, "Babel
Routing Protocol over Datagram Transport Layer Security", Routing Protocol over Datagram Transport Layer Security",
draft-ietf-babel-dtls-10 (work in progress), June 2020. Work in Progress, Internet-Draft, draft-ietf-babel-dtls-
10, 30 June 2020, <http://www.ietf.org/internet-drafts/
draft-ietf-babel-dtls-10.txt>.
[I-D.ietf-babel-hmac] [I-D.ietf-babel-hmac]
Do, C., Kolodziejak, W., and J. Chroboczek, "MAC Do, C., Kolodziejak, W., and J. Chroboczek, "MAC
authentication for the Babel routing protocol", draft- authentication for the Babel routing protocol", Work in
ietf-babel-hmac-10 (work in progress), August 2019. Progress, Internet-Draft, draft-ietf-babel-hmac-12, 4
September 2020, <http://www.ietf.org/internet-drafts/
draft-ietf-babel-hmac-12.txt>.
[I-D.ietf-babel-rfc6126bis]
Chroboczek, J. and D. Schinazi, "The Babel Routing
Protocol", Work in Progress, Internet-Draft, draft-ietf-
babel-rfc6126bis-20, 24 August 2020, <http://www.ietf.org/
internet-drafts/draft-ietf-babel-rfc6126bis-20.txt>.
[ISO.10646] [ISO.10646]
International Organization for Standardization, International Organization for Standardization,
"Information Technology - Universal Multiple-Octet Coded "Information Technology - Universal Multiple-Octet Coded
Character Set (UCS)", ISO Standard 10646:2014, 2014. Character Set (UCS)", ISO Standard 10646:2014, 2014.
[libpcap] Wireshark, "Libpcap File Format", 2015,
<https://wiki.wireshark.org/Development/
LibpcapFileFormat>.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002, Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
<https://www.rfc-editor.org/info/rfc3339>. <https://www.rfc-editor.org/info/rfc3339>.
[RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA-
384, and HMAC-SHA-512 with IPsec", RFC 4868, 384, and HMAC-SHA-512 with IPsec", RFC 4868,
DOI 10.17487/RFC4868, May 2007, DOI 10.17487/RFC4868, May 2007,
<https://www.rfc-editor.org/info/rfc4868>. <https://www.rfc-editor.org/info/rfc4868>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., [RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX,
and A. Bierman, Ed., "Network Configuration Protocol PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468,
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, April 2015, <https://www.rfc-editor.org/info/rfc7468>.
<https://www.rfc-editor.org/info/rfc6241>.
[RFC7693] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 [RFC7693] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2
Cryptographic Hash and Message Authentication Code (MAC)", Cryptographic Hash and Message Authentication Code (MAC)",
RFC 7693, DOI 10.17487/RFC7693, November 2015, RFC 7693, DOI 10.17487/RFC7693, November 2015,
<https://www.rfc-editor.org/info/rfc7693>. <https://www.rfc-editor.org/info/rfc7693>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8193] Burbridge, T., Eardley, P., Bagnulo, M., and J. [RFC8193] Burbridge, T., Eardley, P., Bagnulo, M., and J.
Schoenwaelder, "Information Model for Large-Scale Schoenwaelder, "Information Model for Large-Scale
Measurement Platforms (LMAPs)", RFC 8193, Measurement Platforms (LMAPs)", RFC 8193,
DOI 10.17487/RFC8193, August 2017, DOI 10.17487/RFC8193, August 2017,
<https://www.rfc-editor.org/info/rfc8193>. <https://www.rfc-editor.org/info/rfc8193>.
[TR-181] Broadband Forum, "Device Data Model", [TR-181] Broadband Forum, "Device Data Model",
<http://cwmp-data-models.broadband-forum.org/>. <http://cwmp-data-models.broadband-forum.org/>.
Authors' Addresses Authors' Addresses
Barbara Stark Barbara Stark
AT&T AT&T
Atlanta, GA Atlanta, GA,
US United States of America
Email: barbara.stark@att.com Email: barbara.stark@att.com
Mahesh Jethanandani Mahesh Jethanandani
VMware VMware
California California
US United States of America
Email: mjethanandani@gmail.com Email: mjethanandani@gmail.com
 End of changes. 69 change blocks. 
171 lines changed or deleted 193 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/